To Secure the Example Web Service Client Application
(SA)

This section demonstrates adding security to the web service client
that references the web service created in the previous section. This web
service is secured using the security mechanism described in SAML Authorization over SSL.

To add security to the client that references this web service, complete
the following steps.

This example uses a non-JSR-109-compliant client for variety.
To do this, create the client application up to the step where you create
the Servlet (step 7 as of this writing) by following the steps described in Creating a Client to Consume a WSIT-Enabled Web Service,
with the following exceptions:

In the step where you are directed to cut and paste the URL of
the web service that you want the client to consume into the WSDL URL field,
type https://fully-qualified-hostname:8181/CalculatorApplication/CalculatorWSService?wsdl, to indicate
that this client should reference the web service using the secure port.

The first time you access this service, accept the certificate (s1as) when you are prompted. This is the server certificate popping
up to confirm its identity to the client.

In some cases, you might
get an error dialog telling you that the URL https://fully-qualified-hostname:8181/CalculatorApplication/CalculatorWSService?wsdl couldn’t be downloaded. However, this the correct URL, and
it does load when you run the service. So, when this error occurs, repeat
the steps that create the Web Service Client using the secure WSDL. The second
time, the web service reference is created and you can continue creating the
client.

Provide the client’s private key by pointing to an alias
in the keystore. To do this, expand the Certificates node, click the Load
Aliases button for the keystore, and select xws-security-client from
the Alias list.

Note –

If you are using a certificate other than the updated GlassFish
certificates described in To Update GlassFish Certificates, or are otherwise using a different alias for the client’s
private key alias, correct the private key alias in the line in the SAMLCallbackHandler.java file that looks like this:

String client_priv_key_alias="xws-security-client";

If you are using different keystore/truststore files than those described
in To Update GlassFish Certificates, edit
the following code in the SAMLCallbackHandler.java file
accordingly:

Provide the server’s certificate by pointing to an alias
in the client truststore. To do this, from the Certificates node, click the
Load Aliases button for the Truststore and select xws-security-server.

Expand the Username Authentication node. In the SAML Callback
Handler field, type the name of the class written in step 3 above, xwss.saml.SamlCallbackHandler.

Click OK to close this dialog.

In the tree, drill down from the project to Source Packages->META-INF.
Double-click CalculatorWSService.xml, and verify that
lines similar to the following are present, where xwss.saml.SamlCallbackHandler is the SAML Callback Handler class for the client: